How to use WSUS to get control over Windows

Date: 14/10/2015

This was one of the most interesting attacks showed on Black Hat Las Vegas 2015. Let’s imagine the situation: there’s a large park of Windows computers in a large organization, and they all need to be updated. Obviously, getting all of them to download updates over the Internet is both pricy and uncomfortable. The common solution is a WSUS (Windows Server Update Services) server, which is used to manage updates. It downloads the updates and delivers them to all other computers.


This is a typical task and the solution is standard, so WSUS is widely adopted. This also makes it an attractive target for attacks. The Contextis company examined the principles of its work and developed an attack, which is both very powerful (you can get RCE with System privileges) and easy to reproduce. The white paper is voluminous, so we’ll concentrate on the main points.

So the company has a WSUS server, and the end hosts are configured through group policies to address this particular server for the updates. They use SOAP protocol, which by default works over HTTP. This is one of the most important factors for us. The standard port is 8530.

You can find a path to the end host in this registry node.

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer

Here’s how the interaction between different hosts works. First of all the end host registers itself on the server and gets a cookie in reply, which is used later to access the server. After that the host routinely (usually once in 24 hours) requests if there’s an update. WSUS responds with a list of updates and paths, which can be used to download an update (also on WSUS). In case of an automated update the host downloads and installs the data found in the update (from SYSTEM, of course). There’s a similar process for installing drivers. In fact this process (and also the protocol) is identical to updating through Windows Update.

Only those updates can be installed that are signed with a valid Microsoft certificate. It is the primary component of the defence.

Several types of updates were found during the research. The most interesting for us is CommandLineInstallation (it’s a handler from the query). It uploads an executable file to the OS and runs it with particular parameters (for example this is used to run Microsoft’s antivirus).

So we have some hosts and a WSUS server. They communicate over an unprotected HTTP, so we can execute a MitM attack to change the data in the SOAP requests and the responses (SOAP requests themselves are not signed). The client has no means to check if the updates are real, we can install whatever we want during the attack. Using CommandLineInstallation we can execute any commands with any parameters in the OS.

Of course the executable file must be signed with a Microsoft certificate, but there’s no special Windows Update certificate. We can use any of them. Contextis suggests Mark Russinovich’s Sysinternals Tools as an excellent option. Since these tools were officially adopted by Microsoft they have a valid signature. With PsExec we can execute any commands and run any software (Meterpreter for example). We can also use BGinfo, since some third party antiviruses do not like PsExec.

As we can see, with default settings the system is extremely vulnerable. The main problem boils down to making the end host request updates from WSUS, so that we wouldn’t have to wait for 24 hours to execute an attack.

BGinfo from Sysinternals Tools is signed by MS

BGinfo from Sysinternals Tools is signed by MS

Related posts:
2022.01.13 — Step by Step. Automating multistep attacks in Burp Suite

When you attack a web app, you sometimes have to perform a certain sequence of actions multiple times (e.g. brute-force a password or the second authentication factor, repeatedly…

Full article →
2022.02.15 — Reverse shell of 237 bytes. How to reduce the executable file using Linux hacks

Once I was asked: is it possible to write a reverse shell some 200 bytes in size? This shell should perform the following functions: change its name…

Full article →
2023.04.04 — Serpent pyramid. Run malware from the EDR blind spots!

In this article, I'll show how to modify a standalone Python interpreter so that you can load malicious dependencies directly into memory using the Pyramid…

Full article →
2022.01.01 — It's a trap! How to create honeypots for stupid bots

If you had ever administered a server, you definitely know that the password-based authentication must be disabled or restricted: either by a whitelist, or a VPN gateway, or in…

Full article →
2022.06.01 — F#ck AMSI! How to bypass Antimalware Scan Interface and infect Windows

Is the phrase "This script contains malicious content and has been blocked by your antivirus software" familiar to you? It's generated by Antimalware Scan Interface…

Full article →
2022.02.15 — First contact: How hackers steal money from bank cards

Network fraudsters and carders continuously invent new ways to steal money from cardholders and card accounts. This article discusses techniques used by criminals to bypass security…

Full article →
2023.06.08 — Croc-in-the-middle. Using crocodile clips do dump traffic from twisted pair cable

Some people say that eavesdropping is bad. But for many security specialists, traffic sniffing is a profession, not a hobby. For some reason, it's believed…

Full article →
2022.01.11 — Pentest in your own way. How to create a new testing methodology using OSCP and Hack The Box machines

Each aspiring pentester or information security enthusiast wants to advance at some point from reading exciting write-ups to practical tasks. How to do this in the best way…

Full article →
2022.06.01 — Log4HELL! Everything you must know about Log4Shell

Up until recently, just a few people (aside from specialists) were aware of the Log4j logging utility. However, a vulnerability found in this library attracted to it…

Full article →
2023.01.22 — Top 5 Ways to Use a VPN for Enhanced Online Privacy and Security

This is an external third-party advertising publication. In this period when technology is at its highest level, the importance of privacy and security has grown like never…

Full article →